Calderdale and Huddersfield NHS trust investigates laptop patient data loss

According to local press reports in Huddersfield, the records were stolen when a computer used in conjunction with a scanning machine was taken from Calderdale Royal Hospital before Christmas.

The NHS trust says it has written to patients advising them of the potential data loss.

Infosecurity notes that the laptop was not used as a standalone unit, but as part of an EMG scanning machine at the hospital.

The trust told the local newspaper that it is now in discussions with manufacturers as to whether data could be encrypted to prevent information being accessed if such an event occurred again.

Commenting on the potential security breach, Nick Lowe, Check Point's head of Western Europe sales said: "Even though the laptop was used as part of a scanning solution, it still contained patients' personal details and was a likely target for theft, so it needed securing."

"Security has to be applied automatically whenever the laptop is locked or shut down, so that users don't have to remember to apply it, and can't work around it", he added.

Over at Credant Technologies, meanwhile, Sean Glynn, the endpoint data protection specialist's vice president, said that, unlike most NHS laptop thefts, the notebook was not used as a portable and/or standalone device, but apparently formed an integral part of Calderdale Royal Hospital's electromyography scanning system.

"This probably means that the health trust didn't apply its usual risk management procedures to the device, since it ostensibly formed part of the EMG patient scanning system. The data on the system should, however, have been encrypted, if only to prevent prying eyes looking at the patient records, especially since this was a scanner looking for a potentially serious clinical condition," he said.

"What the case highlights is the fact that patient data within the NHS needs to be protected at all times, preferably using encryption, but also, where the IT system has components – such as a laptop in this case – much higher levels of security clearly need to be employed," he added.

And, he went on to say, since the EMG scanner was located in a public place, namely a hospital, with members of the public wandering in and out, the laptop should have been both physically and electronically secured, to prevent theft.

This, says the Credant vice president, clearly didn't happen, meaning that the trust's patient data and IT security policies were broken on several fronts.

"Managers should have performed a full risk analysis, and defended both the scanner's portable component – in this case a valuable laptop – and even more importantly, the confidential patient data it contained. This is a serious lapse of NHS security policies," he added.

What’s Hot on Infosecurity Magazine?